Legacy integer limit

owasp:api4:2019-integer-limit-legacy

Rule Severity:

Low

Ensure that endpoints using integers specify limits for them. Use 'minimum' and 'maximum' to set the allowed range.
This rule applies at the API Specification level (OAS/Swagger).
Explicitly expecting integers within a specified range in the API spec will help mitigate resource exhaustion attacks (a sub-type of denial of service). APIs may suffer performance and availability issues when faced with an integer format they were not designed to process.
Setting limits helps in protecting a system against potential abuses or unforeseen edge cases, such as large numbers causing resource consumption issues or leading to overflows. Defining a clear range for integer values improves the predictability of the system, reducing the likelihood of unexpected errors or behaviors when out-of-range values are provided. Additionally, when the allowed range of values is clearly specified, it aids in clearer documentation, ensuring that anyone consuming the API has a better understanding of the expected inputs. Constraining the range of allowable values can improve the system's overall data integrity and consistency by preventing the storage of irrelevant or erroneous data.

Example Attack Scenario

Denial of Service (DoS): Attackers can create requests that exploit the integer limit to consume excessive resources or trigger errors, leading to a denial of service condition. For example, sending a request with a large number that exceeds the integer limit might cause the system to crash or become unresponsive.

1. How to Identify with Example Scenario

type: 
 objectproperties:  
  myObj:  
   # arbitrary name for the object    
   type: integer    
   # missing "minimum" & "maximum"

1. How to Resolve with Example Scenario

type: 
 objectproperties:  
  myObj:  
   # arbitrary name for the object    
   type: integer    
   maximum: 99    
   minimum: 1

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings